EPPB Is the ElcomSoft Phone Password Breaker. The latest version, released today, makes it simple for forensic analysts to obtain and decrypt users’ iCloud data. “With valid Apple ID and a password”, claims ElcomSoft CEO Vladimir Katalov, “investigators can not only retrieve backups to seized devices, but access that information in real-time while the phone is still in the hands of a suspect.” This is because EPPB allows its operator to download backups from iCloud to a separate computer system for investigation.
The value of this to investigators comes from the value of iCloud to Apple users – and according to Apple’s fiscal Q2 2012 financial results announced last month, there are already 125 million of them. iCloud gives the user data backup and device synchronization facilities. If it used for backup, this is done incrementally and automatically whenever a docked device gets within range of a WiFi access point. That is, says ElcomSoft, iCloud backups represent a fresh, near real-time copy of information stored on iPhone devices, including information about recently made and received calls, sent and received text and email messages, users’ passwords and websites visited.
The value of this to forensic and law enforcement investigators is obvious. But is the product as ‘good’ as it sounds. Infosecurity enlisted the help of security researcher Robin Wood (DigiNinja, whose day job is a senior engineer with pentesting RandomStorm). “This product,” he told Infosecurity, “is designed for forensics people and pen-testers who manage to gain access to a client’s backup files.”
We tested it on Wood’s own iPhone. “On a low spec virtual machine it cracked my dictionary-based backup password in about 3 seconds using a very large dictionary,” he says. “That is very good. If the password were more secure so that the words in the dictionary had to be manipulated before being used then it would take longer – but I think it would still be fairly quick on a high spec machine.”
One danger, inherent in all forensics software, is that what can be used by the good guys can also be used by the bad guys. “Anything could be used by bad guys,” Wood told Infosecurity. “This could be, but it would be in a targeted attack rather than a generic automated attack. An attacker who got access to the backup file and managed to crack it would then have access to lots of the user’s stored passwords.” ElcomSoft will only sell its products to legitimate forensic investigators.
But there remains one problem for these investigators. “Logging into iCloud presently requires the Apple ID and password. We are exploring other ways to do this,” ElcomSoft’s Olga Koksharova told Infosecurity.